You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

250 lines
7.9 KiB

  1. package openid
  2. import (
  3. "errors"
  4. "fmt"
  5. "io/ioutil"
  6. "net/url"
  7. "strings"
  8. )
  9. func Verify(uri string, cache DiscoveryCache, nonceStore NonceStore) (id string, err error) {
  10. return defaultInstance.Verify(uri, cache, nonceStore)
  11. }
  12. func (oid *OpenID) Verify(uri string, cache DiscoveryCache, nonceStore NonceStore) (id string, err error) {
  13. parsedURL, err := url.Parse(uri)
  14. if err != nil {
  15. return "", err
  16. }
  17. values, err := url.ParseQuery(parsedURL.RawQuery)
  18. if err != nil {
  19. return "", err
  20. }
  21. // 11. Verifying Assertions
  22. // When the Relying Party receives a positive assertion, it MUST
  23. // verify the following before accepting the assertion:
  24. // - The value of "openid.signed" contains all the required fields.
  25. // (Section 10.1)
  26. if err = verifySignedFields(values); err != nil {
  27. return "", err
  28. }
  29. // - The signature on the assertion is valid (Section 11.4)
  30. if err = verifySignature(uri, values, oid.urlGetter); err != nil {
  31. return "", err
  32. }
  33. // - The value of "openid.return_to" matches the URL of the current
  34. // request (Section 11.1)
  35. if err = verifyReturnTo(parsedURL, values); err != nil {
  36. return "", err
  37. }
  38. // - Discovered information matches the information in the assertion
  39. // (Section 11.2)
  40. if err = oid.verifyDiscovered(parsedURL, values, cache); err != nil {
  41. return "", err
  42. }
  43. // - An assertion has not yet been accepted from this OP with the
  44. // same value for "openid.response_nonce" (Section 11.3)
  45. if err = verifyNonce(values, nonceStore); err != nil {
  46. return "", err
  47. }
  48. // If all four of these conditions are met, assertion is now
  49. // verified. If the assertion contained a Claimed Identifier, the
  50. // user is now authenticated with that identifier.
  51. return values.Get("openid.claimed_id"), nil
  52. }
  53. // 10.1. Positive Assertions
  54. // openid.signed - Comma-separated list of signed fields.
  55. // This entry consists of the fields without the "openid." prefix that the signature covers.
  56. // This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle",
  57. // and if present in the response, "claimed_id" and "identity".
  58. func verifySignedFields(vals url.Values) error {
  59. ok := map[string]bool{
  60. "op_endpoint": false,
  61. "return_to": false,
  62. "response_nonce": false,
  63. "assoc_handle": false,
  64. "claimed_id": vals.Get("openid.claimed_id") == "",
  65. "identity": vals.Get("openid.identity") == "",
  66. }
  67. signed := strings.Split(vals.Get("openid.signed"), ",")
  68. for _, sf := range signed {
  69. ok[sf] = true
  70. }
  71. for k, v := range ok {
  72. if !v {
  73. return fmt.Errorf("%v must be signed but isn't", k)
  74. }
  75. }
  76. return nil
  77. }
  78. // 11.1. Verifying the Return URL
  79. // To verify that the "openid.return_to" URL matches the URL that is processing this assertion:
  80. // - The URL scheme, authority, and path MUST be the same between the two
  81. // URLs.
  82. // - Any query parameters that are present in the "openid.return_to" URL
  83. // MUST also be present with the same values in the URL of the HTTP
  84. // request the RP received.
  85. func verifyReturnTo(uri *url.URL, vals url.Values) error {
  86. returnTo := vals.Get("openid.return_to")
  87. rp, err := url.Parse(returnTo)
  88. if err != nil {
  89. return err
  90. }
  91. if uri.Scheme != rp.Scheme ||
  92. uri.Host != rp.Host ||
  93. uri.Path != rp.Path {
  94. return errors.New(
  95. "Scheme, host or path don't match in return_to URL")
  96. }
  97. qp, err := url.ParseQuery(rp.RawQuery)
  98. if err != nil {
  99. return err
  100. }
  101. return compareQueryParams(qp, vals)
  102. }
  103. // Any parameter in q1 must also be present in q2, and values must match.
  104. func compareQueryParams(q1, q2 url.Values) error {
  105. for k := range q1 {
  106. v1 := q1.Get(k)
  107. v2 := q2.Get(k)
  108. if v1 != v2 {
  109. return fmt.Errorf(
  110. "URLs query params don't match: Param %s different: %s vs %s",
  111. k, v1, v2)
  112. }
  113. }
  114. return nil
  115. }
  116. func (oid *OpenID) verifyDiscovered(uri *url.URL, vals url.Values, cache DiscoveryCache) error {
  117. version := vals.Get("openid.ns")
  118. if version != "http://specs.openid.net/auth/2.0" {
  119. return errors.New("Bad protocol version")
  120. }
  121. endpoint := vals.Get("openid.op_endpoint")
  122. if len(endpoint) == 0 {
  123. return errors.New("missing openid.op_endpoint url param")
  124. }
  125. localID := vals.Get("openid.identity")
  126. if len(localID) == 0 {
  127. return errors.New("no localId to verify")
  128. }
  129. claimedID := vals.Get("openid.claimed_id")
  130. if len(claimedID) == 0 {
  131. // If no Claimed Identifier is present in the response, the
  132. // assertion is not about an identifier and the RP MUST NOT use the
  133. // User-supplied Identifier associated with the current OpenID
  134. // authentication transaction to identify the user. Extension
  135. // information in the assertion MAY still be used.
  136. // --- This library does not support this case. So claimed
  137. // identifier must be present.
  138. return errors.New("no claimed_id to verify")
  139. }
  140. // 11.2. Verifying Discovered Information
  141. // If the Claimed Identifier in the assertion is a URL and contains a
  142. // fragment, the fragment part and the fragment delimiter character "#"
  143. // MUST NOT be used for the purposes of verifying the discovered
  144. // information.
  145. claimedIDVerify := claimedID
  146. if fragmentIndex := strings.Index(claimedID, "#"); fragmentIndex != -1 {
  147. claimedIDVerify = claimedID[0:fragmentIndex]
  148. }
  149. // If the Claimed Identifier is included in the assertion, it
  150. // MUST have been discovered by the Relying Party and the
  151. // information in the assertion MUST be present in the
  152. // discovered information. The Claimed Identifier MUST NOT be an
  153. // OP Identifier.
  154. if discovered := cache.Get(claimedIDVerify); discovered != nil &&
  155. discovered.OpEndpoint() == endpoint &&
  156. discovered.OpLocalID() == localID &&
  157. discovered.ClaimedID() == claimedIDVerify {
  158. return nil
  159. }
  160. // If the Claimed Identifier was not previously discovered by the
  161. // Relying Party (the "openid.identity" in the request was
  162. // "http://specs.openid.net/auth/2.0/identifier_select" or a different
  163. // Identifier, or if the OP is sending an unsolicited positive
  164. // assertion), the Relying Party MUST perform discovery on the Claimed
  165. // Identifier in the response to make sure that the OP is authorized to
  166. // make assertions about the Claimed Identifier.
  167. if ep, _, _, err := oid.Discover(claimedID); err == nil {
  168. if ep == endpoint {
  169. // This claimed ID points to the same endpoint, therefore this
  170. // endpoint is authorized to make assertions about that claimed ID.
  171. // TODO: There may be multiple endpoints found during discovery.
  172. // They should all be checked.
  173. cache.Put(claimedIDVerify, &SimpleDiscoveredInfo{opEndpoint: endpoint, opLocalID: localID, claimedID: claimedIDVerify})
  174. return nil
  175. }
  176. }
  177. return errors.New("Could not verify the claimed ID")
  178. }
  179. func verifyNonce(vals url.Values, store NonceStore) error {
  180. nonce := vals.Get("openid.response_nonce")
  181. endpoint := vals.Get("openid.op_endpoint")
  182. return store.Accept(endpoint, nonce)
  183. }
  184. func verifySignature(uri string, vals url.Values, getter httpGetter) error {
  185. // To have the signature verification performed by the OP, the
  186. // Relying Party sends a direct request to the OP. To verify the
  187. // signature, the OP uses a private association that was generated
  188. // when it issued the positive assertion.
  189. // 11.4.2.1. Request Parameters
  190. params := make(url.Values)
  191. // openid.mode: Value: "check_authentication"
  192. params.Add("openid.mode", "check_authentication")
  193. // Exact copies of all fields from the authentication response,
  194. // except for "openid.mode".
  195. for k, vs := range vals {
  196. if k == "openid.mode" {
  197. continue
  198. }
  199. for _, v := range vs {
  200. params.Add(k, v)
  201. }
  202. }
  203. resp, err := getter.Post(vals.Get("openid.op_endpoint"), params)
  204. if err != nil {
  205. return err
  206. }
  207. defer resp.Body.Close()
  208. content, err := ioutil.ReadAll(resp.Body)
  209. response := string(content)
  210. lines := strings.Split(response, "\n")
  211. isValid := false
  212. nsValid := false
  213. for _, l := range lines {
  214. if l == "is_valid:true" {
  215. isValid = true
  216. } else if l == "ns:http://specs.openid.net/auth/2.0" {
  217. nsValid = true
  218. }
  219. }
  220. if isValid && nsValid {
  221. // Yay !
  222. return nil
  223. }
  224. return errors.New("Could not verify assertion with provider")
  225. }